Computing systems such as desktop computers, laptop computers, tablets, netbooks, and servers, are now commonly used by various people and organizations. For example, students may use laptops when they attend classes on a school campus and employees may use desktops, laptops, tablets and servers when working at corporate/company locations. Computing systems may often be mobile computing systems, such as laptops, netbooks, smart phones, and personal digital assistants (PDAs). These mobile computing systems allow users to perform tasks at different locations (e.g., at home or at a coffee shop, rather than at a corporate office), due to the mobility of the mobile computing systems. Mobile computing systems may also provide users with convenient access to a computing system, when the user is not able to access a desktop computer or server. Many users use mobile computing systems because of the convenience and portability of the mobile computing systems.
As the prevalence of computing systems grows, authentication of users and system security on the computing systems continues to be an important concern. Many computing systems use a user password to allow a user access to the computing system (e.g., log into the computing system). If a non-authorized person obtains a user's password, then the non-authorized person may be able to obtain the privileges and the level of access the user had to the computing system. After gaining the privileges/access of the user, a non-authorized person may attempt to change the settings on the computing system, access network resources, and/or attempt to access sensitive data (e.g., access to the user's files on a local hard drive) on the computing system. For example, the non-authorized person may change network settings on the computing system to redirect network traffic to a different server. In another example, the non-authorized person may attempt to install malicious programs such as spyware, malware, viruses, trojans, keyloggers, and/or worms on the user's computing system. In a further example, the non-authorized person may be able connect to the network resources after gaining the privileges/access of the user. The non-authorized person might gain access to the network resources such as shared files, documents, emails, network drives, websites, and/or network services, by impersonating the user (e.g., by using a user's username and/or password).
In order to enhance the security of computing systems, some computing systems use multi-factor authentication. A multi-factor authentication may use three authentication factors: 1) something the user knows (e.g., the user's password); 2) something the user has (e.g., a security token or smart card); and 3) something the user is (e.g., a biometric factor such as a fingerprint, retinal scan, etc.). One common form of multi-factor authentication is two-factor authentication in which the first factor is the user password and the second factor is a one-time password (OTP). An OTP is generally a password which is valid for one login session or transaction. The OTP may be generated by a security token (e.g., a YubiKey® USB token, a physical token, a software token, etc.). A user may input the OTP manually (e.g., via a keyboard), when logging onto a computing system or the security token itself may provide the OTP to the computing system when the security token is coupled to the device (e.g., a YubiKey® token may provide the OTP to the computing system via Universal Serial Bus (USB) interface). The OTP provides an extra layer of security in addition to the user password. Some two-factor authentication systems may use a Personal Identification Number (PIN) which the user may provide to the security token, before the security token generates an OTP. The term OTP, as used herein, may refer to the OTP password or may refer to both the OTP and the PIN provided by the user, which may be included as an optional, static portion of the OTP.
Two-factor authentication systems generally authenticate the OTP before the user is given access to the computing system. The OTP is generally authenticated by an authentication server. If the computing system is unable to communicate with the authentication server, the computing system is unable to authenticate the OTP and the user may be denied access to the computing system.